diff --git a/src/aws.go b/src/aws.go index ff0a7605..a609daa4 100644 --- a/src/aws.go +++ b/src/aws.go @@ -825,6 +825,9 @@ func AwsLookup(name string) interface{} { "aws_transcribe_medical_vocabulary": awsTranscribeMedicalVocabulary, "aws_transcribe_vocabulary": awsTranscribeVocabulary, "aws_transcribe_vocabulary_filter": awsTranscribeVocabularyFilter, + "aws_oam_link": awsOamLink, + "aws_oam_sink": awsOamSink, + "aws_oam_sink_policy": awsOamSinkPolicy, } return TFLookup[name] diff --git a/src/coverage/aws.md b/src/coverage/aws.md index 5807b6b0..71b9219d 100644 --- a/src/coverage/aws.md +++ b/src/coverage/aws.md @@ -1,6 +1,6 @@ # todo aws -Resource percentage coverage 54.11 +Resource percentage coverage 55.13 Datasource percentage coverage 100.00 ./resource.ps1 aws_amplify_app @@ -127,6 +127,7 @@ Datasource percentage coverage 100.00 ./resource.ps1 aws_directory_service_shared_directory ./resource.ps1 aws_directory_service_shared_directory_accepter ./resource.ps1 aws_directory_service_trust +./resource.ps1 aws_dms_replication_config ./resource.ps1 aws_docdbelastic_cluster ./resource.ps1 aws_dx_bgp_peer ./resource.ps1 aws_dx_connection @@ -387,9 +388,6 @@ Datasource percentage coverage 100.00 ./resource.ps1 aws_networkmanager_transit_gateway_registration ./resource.ps1 aws_networkmanager_transit_gateway_route_table_attachment ./resource.ps1 aws_networkmanager_vpc_attachment -./resource.ps1 aws_oam_link -./resource.ps1 aws_oam_sink -./resource.ps1 aws_oam_sink_policy ./resource.ps1 aws_opensearch_domain_saml_options ./resource.ps1 aws_opensearch_inbound_connection_accepter ./resource.ps1 aws_opensearch_outbound_connection diff --git a/src/coverage/coverage_test.go b/src/coverage/coverage_test.go index 741e0c16..149d160d 100644 --- a/src/coverage/coverage_test.go +++ b/src/coverage/coverage_test.go @@ -48,6 +48,7 @@ func Test_percent(t *testing.T) { t.Run(tt.name, func(t *testing.T) { t.Parallel() got := percent(tt.args.missing, tt.args.data) + if !pike.AlmostEqual(got, tt.want) { t.Errorf("percent() = %v, want %v", got, tt.want) } @@ -69,6 +70,7 @@ func Test_coverageAzure(t *testing.T) { tt := tt t.Run(tt.name, func(t *testing.T) { t.Parallel() + if err := coverageAzure(); (err != nil) != tt.wantErr { t.Errorf("coverageAzure() error = %v, wantErr %v", err, tt.wantErr) } @@ -90,6 +92,7 @@ func Test_coverageGcp(t *testing.T) { tt := tt t.Run(tt.name, func(t *testing.T) { t.Parallel() + if err := coverageGcp(); (err != nil) != tt.wantErr { t.Errorf("coverageGcp() error = %v, wantErr %v", err, tt.wantErr) } diff --git a/src/files.go b/src/files.go index d31d8186..ab506683 100644 --- a/src/files.go +++ b/src/files.go @@ -2115,3 +2115,12 @@ var awsTranscribeVocabulary []byte //go:embed mapping/aws/resource/transcribe/aws_transcribe_vocabulary_filter.json var awsTranscribeVocabularyFilter []byte + +//go:embed mapping/aws/resource/oam/aws_oam_link.json +var awsOamLink []byte + +//go:embed mapping/aws/resource/oam/aws_oam_sink.json +var awsOamSink []byte + +//go:embed mapping/aws/resource/oam/aws_oam_sink_policy.json +var awsOamSinkPolicy []byte diff --git a/src/mapping/aws/resource/oam/aws_oam_link.json b/src/mapping/aws/resource/oam/aws_oam_link.json new file mode 100644 index 00000000..a283e549 --- /dev/null +++ b/src/mapping/aws/resource/oam/aws_oam_link.json @@ -0,0 +1,21 @@ +[ + { + "apply": [ + "oam:CreateLink", + "oam:GetLink", + "oam:UpdateLink", + "oam:DeleteLink", + "cloudwatch:Link" + ], + "attributes": { + "tags": [] + }, + "destroy": [ + "oam:DeleteLink" + ], + "modify": [ + "oam:UpdateLink" + ], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/oam/aws_oam_sink.json b/src/mapping/aws/resource/oam/aws_oam_sink.json new file mode 100644 index 00000000..fb75364f --- /dev/null +++ b/src/mapping/aws/resource/oam/aws_oam_sink.json @@ -0,0 +1,21 @@ +[ + { + "apply": [ + "oam:CreateSink", + "oam:GetSink", + "oam:DeleteSink", + "oam:ListTagsForResource" + ], + "attributes": { + "tags": [ + "oam:TagResource", + "oam:UnTagResource" + ] + }, + "destroy": [ + "oam:DeleteSink" + ], + "modify": [], + "plan": [] + } +] diff --git a/src/mapping/aws/resource/oam/aws_oam_sink_policy.json b/src/mapping/aws/resource/oam/aws_oam_sink_policy.json new file mode 100644 index 00000000..99fbd435 --- /dev/null +++ b/src/mapping/aws/resource/oam/aws_oam_sink_policy.json @@ -0,0 +1,14 @@ +[ + { + "apply": [ + "oam:PutSinkPolicy", + "oam:GetSinkPolicy" + ], + "attributes": { + "tags": [] + }, + "destroy": [], + "modify": [], + "plan": [] + } +] diff --git a/terraform/aws/backup/aws_oam_link.tf b/terraform/aws/backup/aws_oam_link.tf new file mode 100644 index 00000000..6c57704a --- /dev/null +++ b/terraform/aws/backup/aws_oam_link.tf @@ -0,0 +1,9 @@ +resource "aws_oam_link" "pike" { + label_template = "$AccountName" + resource_types = ["AWS::CloudWatch::Metric"] + sink_identifier = aws_oam_sink.pike.id + tags = { + Env = "prod" + pike = "permissions" + } +} diff --git a/terraform/aws/backup/aws_oam_sink.tf b/terraform/aws/backup/aws_oam_sink.tf new file mode 100644 index 00000000..bc308fd7 --- /dev/null +++ b/terraform/aws/backup/aws_oam_sink.tf @@ -0,0 +1,7 @@ +resource "aws_oam_sink" "pike" { + name = "ExampleSink" + + tags = { + Env = "prod" + } +} diff --git a/terraform/aws/backup/aws_oam_sink_policy.tf b/terraform/aws/backup/aws_oam_sink_policy.tf new file mode 100644 index 00000000..30b6bd92 --- /dev/null +++ b/terraform/aws/backup/aws_oam_sink_policy.tf @@ -0,0 +1,21 @@ +resource "aws_oam_sink_policy" "pike" { + sink_identifier = aws_oam_sink.pike.id + policy = jsonencode({ + Version = "2012-10-17" + Statement = [ + { + Action = ["oam:CreateLink", "oam:UpdateLink"] + Effect = "Allow" + Resource = "*" + Principal = { + "AWS" = ["1111111111111", "680235478471"] + } + Condition = { + "ForAllValues:StringEquals" = { + "oam:ResourceTypes" = ["AWS::CloudWatch::Metric", "AWS::Logs::LogGroup"] + } + } + } + ] + }) +} diff --git a/terraform/aws/role/aws_iam_policy.basic.tf b/terraform/aws/role/aws_iam_policy.basic.tf index c4490af1..edc45d5a 100644 --- a/terraform/aws/role/aws_iam_policy.basic.tf +++ b/terraform/aws/role/aws_iam_policy.basic.tf @@ -7,73 +7,26 @@ resource "aws_iam_policy" "basic" { "Sid" : "0", "Effect" : "Allow", "Action" : [ + //aws_oam_sink + "oam:CreateSink", + "oam:GetSink", + "oam:DeleteSink", + "oam:ListTagsForResource", + "oam:TagResource", + "oam:UnTagResource", + + + //aws_oam_link + "oam:CreateLink", + "oam:GetLink", + "oam:UpdateLink", + "oam:DeleteLink", + "cloudwatch:Link", + + //aws_oam_sink_policy + "oam:PutSinkPolicy", + "oam:GetSinkPolicy" - //aws_transcribe_language_model - "transcribe:CreateLanguageModel", - "transcribe:DescribeLanguageModel", - "transcribe:DeleteLanguageModel", - "iam:PassRole", - "transcribe:TagResource", - "transcribe:UntagResource", - - - //aws_transcribe_medical_vocabulary - "transcribe:CreateMedicalVocabulary", - "transcribe:GetMedicalVocabulary", - "transcribe:DeleteMedicalVocabulary", - "transcribe:TagResource", - "transcribe:UntagResource", - - //aws_transcribe_vocabulary - "transcribe:CreateVocabulary", - "transcribe:GetVocabulary", - "transcribe:DeleteVocabulary", - "transcribe:TagResource", - "transcribe:UntagResource", - - //aws_transcribe_vocabulary_filter - "transcribe:CreateVocabularyFilter", - "transcribe:GetVocabularyFilter", - "transcribe:UpdateVocabularyFilter", - "transcribe:ListTagsForResource", - "transcribe:DeleteVocabularyFilter", - "transcribe:TagResource", - "transcribe:UntagResource", - - "dynamodb:DeleteItem", - "dynamodb:DescribeTable", - "dynamodb:GetItem", - "dynamodb:PutItem", - "iam:CreateRole", - "iam:DeleteRole", - "iam:DeleteRolePolicy", - "iam:GetRole", - "iam:GetRolePolicy", - "iam:ListAttachedRolePolicies", - "iam:ListInstanceProfilesForRole", - "iam:ListRolePolicies", - "iam:PutRolePolicy", - "s3:CreateBucket", - "s3:DeleteBucket", - "s3:DeleteObject", - "s3:GetAccelerateConfiguration", - "s3:GetBucketAcl", - "s3:GetBucketCORS", - "s3:GetBucketLogging", - "s3:GetBucketObjectLockConfiguration", - "s3:GetBucketPolicy", - "s3:GetBucketRequestPayment", - "s3:GetBucketTagging", - "s3:GetBucketVersioning", - "s3:GetBucketWebsite", - "s3:GetEncryptionConfiguration", - "s3:GetLifecycleConfiguration", - "s3:GetObject", - "s3:GetObjectAcl", - "s3:GetObjectTagging", - "s3:GetReplicationConfiguration", - "s3:ListBucket", - "s3:PutObject" ], "Resource" : "*", }